CLI

Usage:  [OPTIONS] [TEMPLATES]...

  Analyse AWS Cloudformation templates passed by parameter.

Options:
  --version                       Show the version and exit.
  --resolve / --no-resolve        Resolves cloudformation variables and
                                  intrinsic functions  [default: False]
  --resolve-parameters FILENAME   JSON/YML file containing key-value pairs
                                  used for resolving CloudFormation files with
                                  templated parameters. For example, {"abc":
                                  "ABC"} will change all occurrences of
                                  {"Ref": "abc"} in the CloudFormation file to
                                  "ABC".
  --format [json|txt]             Output format  [default: txt]
  --output-folder DIRECTORY       If not present, result will be sent to
                                  stdout
  --logging [ERROR|WARNING|INFO|DEBUG]
                                  Logging level  [default: INFO]
  --help                          Show this message and exit.

Examples

Normal execution

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True

Using resolve flag

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
    - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
    - PartialWildcardPrincipalRule: rootRole should not allow wildcard in principals or account-wide principals 
(principal: 'arn:aws:iam::123456789012:root')

Using json format and output-folder argument

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json